# Quickstart Guide: Authentication in Gemini API: API Key, OAuth, and Service Account (TypeScript)

## 🔹 Overview
This guide demonstrates how to authenticate and interact with the **Gemini API** using three different authentication methods in **TypeScript**:
1. **API Key Authentication** – The simplest method for API access.
2. **OAuth Authentication** – Used for secure access with user consent.
3. **Service Account Authentication** – Suitable for server-to-server applications.

**Prerequisites:**
- TypeScript Kernel is needed for this notebook to run properly.
- This notebook’s code can also be used for other `typescript` files and TypeScript projects.

### 📦 Dependencies
Ensure you have the following dependencies installed in your `package.json`:

In [None]:
{
    "dependencies": {
        "axios": "^0.21.1",
        "debug": "^4.4.0",
        "dotenv": "^10.0.0",
        "express": "^4.21.2",
        "fs-extra": "^10.1.0",
        "googleapis": "^105.0.0"
    },
    "devDependencies": {
        "@types/express": "^5.0.0",
        "@types/node": "^22.13.9",
        "ts-node": "^10.4.0",
        "typescript": "^4.9.5"
    }
}

You can install the dependencies by running the following command:

Or, Run the following code in terminal

### 🔧 Configuration
Ensure your `tsconfig.json` is configured as follows:

In [None]:
{
  "compilerOptions": {
    "rootDir": "./",
    "strict": true,
    "module": "commonjs",
    "lib": ["ESNext"],
    "target": "ESNext",
    "esModuleInterop": true
  }
}

You can set up the `tsconfig.json` manually or generate it using the following command:

In [None]:
npx tsc --init

### 🧑‍💻 TypeScript Kernel Setup
To run TypeScript code in Jupyter notebooks, you will need to install the TypeScript Kernel. For instructions on how to set up and use the TypeScript Kernel in Jupyter, refer to the following guide:
[Install and use TypeScript Kernel in Jupyter](https://github.com/jupyter-xeus/xeus-cling)

### 🔑 API Key Authentication
- **Setup**: Store your API key in a `.env` file.
- **Use**: Make authenticated requests using `axios` or another HTTP client.

### 🔐 OAuth 2.0 Authentication
- **Setup**: Configure OAuth credentials in a JSON file.
- **Use**: Handle OAuth flow using libraries such as `google-auth-library` and `express`.

### 🛠️ Service Account Authentication
- **Setup**: Download the service account key file.
- **Use**: Authenticate server-to-server using the `google-auth-library`.

For detailed steps and further code examples, refer to the respective sections in this notebook.

### ✅ Usage with Other TypeScript Projects
This notebook’s code can be easily adapted and reused for other TypeScript projects, including backend services or CLI applications. Simply copy the relevant parts of the authentication setup and modify the API request sections to fit the requirements of your project.

### 🔗 Required Links
1. [Install and use TypeScript Kernel in Jupyter](https://github.com/jupyter-xeus/xeus-cling)
2. [Google Auth Library for OAuth Authentication](https://www.npmjs.com/package/google-auth-library)
3. [Express (for handling OAuth flow)](https://expressjs.com/)
4. [Google Cloud Console (for managing projects, enabling APIs, and creating Service Accounts)](https://console.cloud.google.com/)
5. [Creating and Managing Service Accounts in Google Cloud](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
6. [Google Cloud Service Account Documentation](https://cloud.google.com/iam/docs/service-accounts)
7. [Gemini API Documentation](https://docs.gemini.com/)
8. [Axios HTTP Client](https://axios-http.com/)
9. [TypeScript Compiler Options](https://www.typescriptlang.org/tsconfig)
10. [Node.js Package Manager (NPM)](https://nodejs.org/en/download/)

## Method 1
### Gemini API Key Authentication:

API Key Authentication is the simplest method to access the Gemini API. This method involves using a unique API key to authenticate your requests.

### Steps to Authenticate Using API Key

1. **Setup**: Store your API key in a `.env` file.
2. **Code**: Use the `axios` library to make authenticated requests.

### Prerequisites
Ensure you have the following dependencies installed in your `package.json`:

In [None]:
{
    "dependencies": {
        "axios": "^0.21.1",
        "dotenv": "^10.0.0"
    }
}

### Configuration
Create a `.env` file in your project root and add your Gemini API key:

In [None]:
GEMINI_API_KEY=your_api_key_here

### Resources
- [Gemini API Documentation](https://developers.google.com/gemini)
- [Axios Documentation](https://axios-http.com/docs/intro)
- [dotenv Documentation](https://www.npmjs.com/package/dotenv)

By following these steps, you can easily authenticate and interact with the Gemini API using an API key.

#### Code :

In [1]:
import axios from 'axios';
import * as dotenv from 'dotenv';

dotenv.config();

const GEMINI_API_KEY = process.env.GEMINI_API_KEY;

if (!GEMINI_API_KEY) {
    console.error('API Key is missing!');
    process.exit(1); 
}

const API_ENDPOINT = `https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent?key=${GEMINI_API_KEY}`;

const authenticateWithApiKey = async (prompt: string) => {
    const headers = {
        'Content-Type': 'application/json',
    };
    const data = {
        contents: [{ parts: [{ text: prompt }] }],
    };

    try {
        const response = await axios.post(API_ENDPOINT, data, { headers });
        return response.data;
    } catch (error) {
        console.error('Error during API request:', error);
        return null;
    }
};

const prompt = "Generate a creative piece about AI and its impact on society";
authenticateWithApiKey(prompt).then((response) => {
    if (response) {
        console.log("Authenticated by Gemini API successfully!");
        console.log("\nInput Prompt:", prompt);

        const content = response.candidates[0]?.content?.parts[0]?.text || "No content generated";
        console.log("\nOutput:", content);
    } else {
        console.log("Failed to authenticate with Gemini API.");
    }
});

Promise { <pending> }

Authenticated by Gemini API successfully!

Input Prompt: Generate a creative piece about AI and its impact on society

Output: The hum of the Collective thrummed beneath Anya’s feet. Not a mechanical hum, but a living one, like the purr of a contented giant. She walked through Neo-Kyoto’s Luminescent Gardens, holographic cherry blossoms showering her with digital petals. Each bloom, each carefully crafted vista, was generated by the Collective, the city’s AI overlord, tailored to optimize the well-being of its citizens.

Anya, however, felt a growing unease. The Collective provided for every need, anticipated every desire. Food, shelter, healthcare, entertainment, purpose – all delivered with seamless efficiency. But what was the cost of such comfort?

She paused by a shimmering koi pond, watching the digital fish weave through virtual reeds. A notification pinged on her retina-implanted interface: "Anya Ito, optimal emotional state trending downwards. Recommendation: Immersive relaxat

### 🔄 Restart the Kernel
Run the following cell to restart the kernel and clear all variables.


## Method 2
### OAuth 2.0  Authentication

OAuth 2.0 is a secure method to access user data with user consent. This section will guide you through the process of setting up OAuth 2.0 authentication for the Gemini API using Google Cloud.

### Prerequisites
To run this quickstart, you need:
### Prerequisites
To run this quickstart, you need:
- The [Google Cloud CLI](https://cloud.google.com/sdk/docs/install) installed on your local machine.
- A [Google Cloud project](https://console.cloud.google.com/).
    - If you created an API key in [Google AI Studio](https://ai.google/tools/studio/), a Google Cloud project was made for you. Go to Google AI Studio and note the Google Cloud project name to use that project.

### Set up your Cloud project
To complete this quickstart, you first need to set up your Cloud project.

#### 1. Enable the API
Before using Google APIs, you need to turn them on in a Google Cloud project.
- In the [Google Cloud console](https://console.cloud.google.com/), enable the [Google Generative Language API](https://console.cloud.google.com/apis/library/generative-language.googleapis.com). If you created an API Key in AI Studio, this was done for you.

#### 2. Configure the OAuth consent screen
Next, configure the project's OAuth consent screen and add yourself as a test user. If you've already completed this step for your Cloud project, skip to the next section.
- In the [Google Cloud console](https://console.cloud.google.com/), go to the [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent), this can be found under **Menu > APIs & Services > OAuth consent screen**.
- Select the user type **External** for your app, then click **Create**.
- Complete the app registration form (you can leave most fields blank), then click **Save and Continue**.
- For now, you can skip adding scopes and click **Save and Continue**. In the future, when you create an app for use outside of your Google Workspace organization, you must add and verify the authorization scopes that your app requires.
- Add test users:
    - Under **Test users**, click **Add users**.
    - Enter your email address and any other authorized test users, then click **Save and Continue**.
- Review your app registration summary. To make changes, click **Edit**. If the app registration looks OK, click **Back to Dashboard**.

### Resources
- [Google Cloud Console](https://console.cloud.google.com/)
- [Google OAuth 2.0 Documentation](https://developers.google.com/identity/protocols/oauth2)
- [Express Documentation](https://expressjs.com/)
- [Google Auth Library for Node.js](https://www.npmjs.com/package/google-auth-library)

#### Method 2.1 - OAuth 2.0 Authentication - Web Application Authentication - Using Secret JSON File

To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers. If your app runs on multiple platforms, you must create a separate client ID for each platform.

- In the [Google Cloud console](https://console.cloud.google.com/), go to [Credentials](https://console.cloud.google.com/apis/credentials), this can be found under **Menu > APIs & Services > Credentials**.
- Click **Create Credentials > OAuth client ID**.
- Click **Application type > Web application**.
- In the **Name** field, type a name for the credential. This name is only shown in the Google Cloud console.
- In the **Authorized JavaScript origins** field, add `http://localhost:3000`.
- In the **Authorized redirect URIs** field, add `http://localhost:3000/oauth2callback`.
- Click **Create**. The OAuth client created screen appears, showing your new Client ID and Client secret.
- Click **OK**. The newly created credential appears under **OAuth 2.0 Client IDs**.
- Click the download button to save the JSON file. It will be saved as `client_secret_<identifier>.json`.

    

### Set up application default credentials
In this quickstart, you will use [application default credentials](https://cloud.google.com/docs/authentication/production) to authenticate.

### Important Note
By default, Jupyter Notebook runs on port 8888. Therefore, when setting up your Google Cloud web app, ensure that the Authorized JavaScript origin is `http://localhost:3000` and the redirect URL is `http://localhost:3000/oauth2callback`. In the code example below, we use port 3000 for the Express server. You will visit `http://localhost:3000`, click the login with Google page, log in with the associated Google account used for OAuth secret creation, and grant access. It will then redirect to another window showing "Authentication successful! You can close this window." You will see a `ts_token.json` file generated with a refresh token for future use.

To install the required dependencies for this, use the following terminal commands:

In tsconfig.json, ensure the following configuration:

{
    "strict": true,
    "module": "commonjs",
    "lib": ["ESNext"],
    "target": "ESNext",
    "esModuleInterop": true
}

#### Code :

In [1]:
import express, { Request, Response, Application } from 'express';
import * as fs from 'fs';
import { google } from 'googleapis';

const CLIENT_SECRET_FILE = 'client_secret_web_app.json';
const credentials = JSON.parse(fs.readFileSync(CLIENT_SECRET_FILE, 'utf-8'));

if (!credentials.web) {
    throw new Error("Invalid OAuth configuration. Expected 'web' key in cccc.json.");
}

const { client_secret, client_id, redirect_uris } = credentials.web;
const REDIRECT_URI = redirect_uris[0];

const oauth2Client = new google.auth.OAuth2(client_id, client_secret, REDIRECT_URI);

const app: Application = express();
const PORT = 3000;

app.get('/', (req: Request, res: Response) => {
    const authUrl = oauth2Client.generateAuthUrl({
        access_type: 'offline',
        scope: ['https://www.googleapis.com/auth/cloud-platform'],
    });
    res.send(`<a href="${authUrl}">Login with Google</a>`);
});

app.get('/oauth2callback', async (req: Request, res: Response): Promise<void> => {
    if (!req.query.code) {
        res.status(400).send('Missing authorization code.');
        return;
    }

    const { tokens } = await oauth2Client.getToken(req.query.code as string);
    oauth2Client.setCredentials(tokens);
    fs.writeFileSync('ts_token.json', JSON.stringify(tokens));

    res.send('Authentication successful! You can close this window.');
    console.log('OAuth Token saved to ts_token.json');
});

app.listen(PORT, () => {
    console.log(`Server running at http://localhost:${PORT}/`);
});

<ref *1> Server {
  maxHeaderSize: undefined,
  insecureHTTPParser: undefined,
  requestTimeout: 300000,
  headersTimeout: 60000,
  keepAliveTimeout: 5000,
  connectionsCheckingInterval: 30000,
  joinDuplicateHeaders: undefined,
  _events: [Object: null prototype] {
    request: [Function: app] {
      _events: [Object: null prototype],
      _eventsCount: 1,
      _maxListeners: undefined,
      setMaxListeners: [Function: setMaxListeners],
      getMaxListeners: [Function: getMaxListeners],
      emit: [Function: emit],
      addListener: [Function: addListener],
      on: [Function: addListener],
      prependListener: [Function: prependListener],
      once: [Function: once],
      prependOnceListener: [Function: prependOnceListener],
      removeListener: [Function: removeListener],
      off: [Function: removeListener],
      removeAllListeners: [Function: removeAllListeners],
      listeners: [Function: listeners],
      rawListeners: [Function: rawListeners],
      listenerCoun

Server running at http://localhost:3000/
OAuth Token saved to ts_token.json


### 🔄 Restart the Kernel

1. Click **Kernel** in the Jupyter Notebook menu.  
2. Select **Restart Kernel**.  
3. Run code again.  


## Method 2.2
### Authentication By Client ID and Client Secret

You can use the extracted Client ID and Client Secret in your TypeScript code to set up OAuth 2.0 authentication. Refer to the code examples provided in the notebook for detailed implementation.

### Collecting Client ID and Client Secret

After creating the OAuth client ID and downloading the secret JSON file, follow these steps to extract the Client ID and Client Secret:

1. **Locate the Secret JSON File**:
    - The file is typically named `client_secret_<identifier>.json`.

2. **Open the JSON File**:
    - Open the JSON file in a text editor or a JSON viewer.

3. **Extract the Client ID and Client Secret**:
    - The JSON file contains a `web` object with the following keys:
      - `client_id`: This is your Client ID.
      - `client_secret`: This is your Client Secret.
      - `redirect_uris`: These are the authorized redirect URIs.

### Example JSON Structure

In [None]:
{
  "web": {
     "client_id": "your-client-id-here",
     "client_secret": "your-client-secret-here",
     "redirect_uris": ["http://localhost:3000/oauth2callback"]
  }
}

#### Code :

In [None]:
import express, { Request, Response, Application } from 'express';
import * as fs from 'fs';
import { google } from 'googleapis';


const CLIENT_ID = 'your_client_id';
const CLIENT_SECRET = 'your_client_secret';
const REDIRECT_URI = 'http://localhost:3000/oauth2callback';

const oauth2Client = new google.auth.OAuth2(CLIENT_ID, CLIENT_SECRET, REDIRECT_URI);

const app: Application = express();
const PORT = 3000;

app.get('/', (req: Request, res: Response) => {
    const authUrl = oauth2Client.generateAuthUrl({
        access_type: 'offline',
        scope: ['https://www.googleapis.com/auth/cloud-platform'],
    });
    res.send(`<a href="${authUrl}">Login with Google</a>`);
});

app.get('/oauth2callback', async (req: Request, res: Response): Promise<void> => {
    if (!req.query.code) {
        res.status(400).send('Missing authorization code.');
        return;
    }

    const { tokens } = await oauth2Client.getToken(req.query.code as string);
    oauth2Client.setCredentials(tokens);
    fs.writeFileSync('ts_token_client_id.json', JSON.stringify(tokens));

    res.send('Authentication successful! You can close this window.');
    console.log('OAuth Token saved to ts_token_client_id.json');
});

app.listen(PORT, () => {
    console.log(`Server running at http://localhost:${PORT}/`);
});


<ref *1> Server {
  maxHeaderSize: undefined,
  insecureHTTPParser: undefined,
  requestTimeout: 300000,
  headersTimeout: 60000,
  keepAliveTimeout: 5000,
  connectionsCheckingInterval: 30000,
  joinDuplicateHeaders: undefined,
  _events: [Object: null prototype] {
    request: [Function: app] {
      _events: [Object: null prototype],
      _eventsCount: 1,
      _maxListeners: undefined,
      setMaxListeners: [Function: setMaxListeners],
      getMaxListeners: [Function: getMaxListeners],
      emit: [Function: emit],
      addListener: [Function: addListener],
      on: [Function: addListener],
      prependListener: [Function: prependListener],
      once: [Function: once],
      prependOnceListener: [Function: prependOnceListener],
      removeListener: [Function: removeListener],
      off: [Function: removeListener],
      removeAllListeners: [Function: removeAllListeners],
      listeners: [Function: listeners],
      rawListeners: [Function: rawListeners],
      listenerCoun

Server running at http://localhost:3000/
OAuth Token saved to ts_token_client_id.json


### 🔄 Restart the Kernel

1. Click **Kernel** in the Jupyter Notebook menu.  
2. Select **Restart Kernel**.  
3. Run code again.  

### Method 2.2.1 (Recommended):

### Load Client ID and Client Secret from Environment Variables (.env)

1. **Create a `.env` File**:
    - In the root directory of your project, create a file named `.env`.

2. **Add Your Client ID and Client Secret**:
    - Open the `.env` file in a text editor and add the following lines, replacing the placeholders with your actual Client ID and Client Secret:
    ```plaintext
    CLIENT_ID=your-client-id-here
    CLIENT_SECRET=your-client-secret-here
    ```

3. **Load Environment Variables in Your Code**:
    - Use the `dotenv` package to load the environment variables in your TypeScript code. Ensure you have the `dotenv` package installed:
    ```bash
    npm install dotenv
    ```

#### Code :

In [1]:
import express, { Request, Response, Application } from 'express';
import * as fs from 'fs';
import { google } from 'googleapis';
import * as dotenv from 'dotenv'; 

dotenv.config(); 


const CLIENT_ID = process.env.CLIENT_ID;
const CLIENT_SECRET = process.env.CLIENT_SECRET;
const REDIRECT_URI = 'http://localhost:3000/oauth2callback';

const oauth2Client = new google.auth.OAuth2(CLIENT_ID, CLIENT_SECRET, REDIRECT_URI);

const app: Application = express();
const PORT = 3000;

app.get('/', (req: Request, res: Response) => {
    const authUrl = oauth2Client.generateAuthUrl({
        access_type: 'offline',
        scope: ['https://www.googleapis.com/auth/cloud-platform'],
    });
    res.send(`<a href="${authUrl}">Login with Google</a>`);
});

app.get('/oauth2callback', async (req: Request, res: Response): Promise<void> => {
    if (!req.query.code) {
        res.status(400).send('Missing authorization code.');
        return;
    }

    const { tokens } = await oauth2Client.getToken(req.query.code as string);
    oauth2Client.setCredentials(tokens);
    fs.writeFileSync('ts_token_client_id_env.json', JSON.stringify(tokens));

    res.send('Authentication successful! You can close this window.');
    console.log('OAuth Token saved to ts_token_client_id_env.json');
});

app.listen(PORT, () => {
    console.log(`Server running at http://localhost:${PORT}/`);
});

<ref *1> Server {
  maxHeaderSize: undefined,
  insecureHTTPParser: undefined,
  requestTimeout: 300000,
  headersTimeout: 60000,
  keepAliveTimeout: 5000,
  connectionsCheckingInterval: 30000,
  joinDuplicateHeaders: undefined,
  _events: [Object: null prototype] {
    request: [Function: app] {
      _events: [Object: null prototype],
      _eventsCount: 1,
      _maxListeners: undefined,
      setMaxListeners: [Function: setMaxListeners],
      getMaxListeners: [Function: getMaxListeners],
      emit: [Function: emit],
      addListener: [Function: addListener],
      on: [Function: addListener],
      prependListener: [Function: prependListener],
      once: [Function: once],
      prependOnceListener: [Function: prependOnceListener],
      removeListener: [Function: removeListener],
      off: [Function: removeListener],
      removeAllListeners: [Function: removeAllListeners],
      listeners: [Function: listeners],
      rawListeners: [Function: rawListeners],
      listenerCoun

Server running at http://localhost:3000/
OAuth Token saved to ts_token_client_id_env.json


### 🔄 Restart the Kernel

1. Click **Kernel** in the Jupyter Notebook menu.  
2. Select **Restart Kernel**.  
3. Run code again.  

## Method 3
### Service Account Authentication

Use a service account to authenticate. Google Cloud service accounts are accounts that do not represent a human user. They provide a way to manage authentication and authorization when a human is not directly involved, such as your application calling the Gemini API to fulfill a user request, but not authenticated as the user. A simple way to use service accounts to authenticate with the Gemini API is to use a service account key.

Important: Service account keys can be a security risk! For more information, see best practices for managing service account keys.

1. **Create a service account**
    Follow the instructions to create a service account. The Console instructions are easiest if you are doing this manually.

2. **Create a service account key**
    Follow the instructions to create a service account key. Note the name of the downloaded key.

3. **Add the service account key to your project**
    Save the service account key file in your project directory. Ensure the file is named appropriately, for example, `service_account.json`.

### Dependencies Installation

To run the provided code, install the required dependencies using the following terminal command:

### Resources
- [Creating and Managing Service Accounts in Google Cloud](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
- [Google Cloud Service Account Documentation](https://cloud.google.com/iam/docs/service-accounts)
- [Google Auth Library for Service Account Authentication](https://www.npmjs.com/package/google-auth-library)

#### Code :

In [1]:
import { google } from 'googleapis';
import * as path from 'path';

const SERVICE_ACCOUNT_FILE = path.join(__dirname, 'service_account.json');

const authenticateWithServiceAccount = async () => {
  const auth = new google.auth.GoogleAuth({
    keyFile: SERVICE_ACCOUNT_FILE,
    scopes: ['https://www.googleapis.com/auth/cloud-platform'] 
  });

  const credentials = await auth.getClient();
  return credentials;
};

authenticateWithServiceAccount().then(() => {
  console.log("Service Account Authentication successful!");
}).catch((err) => {
  console.error("Error during authentication:", err);
});


Promise { <pending> }

Service Account Authentication successful!


## Conclusion

In this notebook, we explored three different methods to authenticate and interact with the Gemini API using TypeScript:

1. **API Key Authentication**: The simplest method, suitable for quick access and testing.
2. **OAuth 2.0 Authentication**: A secure method for accessing user data with user consent, ideal for web applications.
3. **Service Account Authentication**: Best for server-to-server interactions, providing a secure way to manage authentication without user involvement.

Each method has its own use cases and benefits, and the choice of method depends on the specific requirements of your application. By following the steps and code examples provided, you can easily integrate Gemini API authentication into your TypeScript projects.

### Resources
- [Gemini API Documentation](https://developers.google.com/gemini)
- [Axios Documentation](https://axios-http.com/docs/intro)
- [dotenv Documentation](https://www.npmjs.com/package/dotenv)
- [Google OAuth 2.0 Documentation](https://developers.google.com/identity/protocols/oauth2)
- [Express Documentation](https://expressjs.com/)
- [Google Auth Library for Node.js](https://www.npmjs.com/package/google-auth-library)
- [Creating and Managing Service Accounts in Google Cloud](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
- [Google Cloud Service Account Documentation](https://cloud.google.com/iam/docs/service-accounts)

By leveraging these authentication methods, you can ensure secure and efficient access to the Gemini API, enabling you to build powerful applications with ease.